From 5f7410249b093b3554733002507f137010ce7f07 Mon Sep 17 00:00:00 2001 From: Heena Manwani Date: Wed, 16 Apr 2025 19:58:08 +0530 Subject: [PATCH 1/5] RHIDP-6570: Document the permission support to RBAC plugin --- ...bly-configuring-authorization-in-rhdh.adoc | 1 + .../proc-delegating-rbac-access.adoc | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 modules/authorization/proc-delegating-rbac-access.adoc diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 8db4efc46e..5cd1939bab 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -43,6 +43,7 @@ include::assembly-managing-authorizations-by-using-external-files.adoc[leveloffs include::assembly-configuring-guest-access-with-rbac-ui.adoc[leveloffset=+1] +include::modules/authorization/proc-delegating-rbac-access.adoc[leveloffset=+1] include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1] diff --git a/modules/authorization/proc-delegating-rbac-access.adoc b/modules/authorization/proc-delegating-rbac-access.adoc new file mode 100644 index 0000000000..b3ee2d957c --- /dev/null +++ b/modules/authorization/proc-delegating-rbac-access.adoc @@ -0,0 +1,35 @@ +[id='proc-delegating-rbac-access_{context}'] += Delegating role-based access controls (RBAC) access in {product} + +An enterprise customer requires the ability to delegate role-based access control (RBAC) responsibilities to individual team leads. In this scenario, you, as the administrator, can provide access to the RBAC plugin specifically to designated users, such as team leads. Each team lead is then able to manage permissions exclusively for users within their respective team or department, without visibility into or control over permissions outside their assigned scope. + +The expected results of delegating RBAC access are as follows: + +* Team leads can manage RBAC settings for their teams independently. +* Visibility of other users' or teams' permissions is restricted. +* Administrators retain overarching control while delegating team-specific access. + +.Prerequisites +* Your {product-very-short} instance is up and running with RBAC plugin installed and configured. +* You have administrative access to {product-very-short}. + +.Procedure +. In your {product-very-short} instance, navigate to the *Administration -> RBAC* page. +. Create a new role designated for team leads. ++ +For more information about creating a role, see xref:proc-rbac-ui-create-role_title-authorization[Creating a role in the {product} Web UI]. + +. Add the appropriate users or groups to the newly created role. +. Define the necessary permissions for the role based on the tasks the team leads are expected to manage. For example, you can allow team leads to access the RBAC UI and save permission changes for added users or groups. +. Apply access conditions to scope the role’s visibility and control to specific users or groups. For example, you can limit each team lead’s access to only their team. +. Save the changes. + +.Verification +Log in as a team lead and verify the following: + +* The RBAC UI is accessible. +* Only the assigned users or group is visible. +* Permissions outside the scoped team are not viewable or editable. + + + From 58fd2a67b24bf75f37589ed2cfd0b260737fcaab Mon Sep 17 00:00:00 2001 From: Heena Manwani Date: Tue, 22 Apr 2025 20:25:44 +0530 Subject: [PATCH 2/5] Incorporated APIs --- .../proc-delegating-rbac-access.adoc | 170 ++++++++++++++++-- 1 file changed, 157 insertions(+), 13 deletions(-) diff --git a/modules/authorization/proc-delegating-rbac-access.adoc b/modules/authorization/proc-delegating-rbac-access.adoc index b3ee2d957c..f28d58d3b2 100644 --- a/modules/authorization/proc-delegating-rbac-access.adoc +++ b/modules/authorization/proc-delegating-rbac-access.adoc @@ -1,9 +1,11 @@ [id='proc-delegating-rbac-access_{context}'] = Delegating role-based access controls (RBAC) access in {product} -An enterprise customer requires the ability to delegate role-based access control (RBAC) responsibilities to individual team leads. In this scenario, you, as the administrator, can provide access to the RBAC plugin specifically to designated users, such as team leads. Each team lead is then able to manage permissions exclusively for users within their respective team or department, without visibility into or control over permissions outside their assigned scope. +An enterprise customer requires the ability to delegate role-based access control (RBAC) responsibilities to other individual in the organization. In this scenario, you, as the administrator, can provide access to the RBAC plugin specifically to designated users, such as team leads. Each team lead is then able to manage permissions exclusively for users within their respective team or department, without visibility into or control over permissions outside their assigned scope. This approach allows team leads to manage access and permissions for their own teams independently, while administrators maintain global oversight. -The expected results of delegating RBAC access are as follows: +In {product-very-short}, you can delegate RBAC access using the multitenancy feature of RBAC plugin, specifically the `IS_OWNER` conditional rule. + +By delegating the RBAC access, you can expect the following outcomes: * Team leads can manage RBAC settings for their teams independently. * Visibility of other users' or teams' permissions is restricted. @@ -12,24 +14,166 @@ The expected results of delegating RBAC access are as follows: .Prerequisites * Your {product-very-short} instance is up and running with RBAC plugin installed and configured. * You have administrative access to {product-very-short}. +* You have API access using `curl` or another tool. .Procedure . In your {product-very-short} instance, navigate to the *Administration -> RBAC* page. -. Create a new role designated for team leads. +. Create a new role designated for team leads using the Web UI or API: + -For more information about creating a role, see xref:proc-rbac-ui-create-role_title-authorization[Creating a role in the {product} Web UI]. +-- +.Example of creating a new role for the team lead using the RBAC backend API +[source,bash] +---- +curl -X POST 'http://localhost:7007/api/permission/roles' \ +--header "Authorization: Bearer $ADMIN_TOKEN" \ +--header "Content-Type: application/json" \ +--data '{ + "memberReferences": ["user:default/team_lead"], + "name": "role:default/team_lead", + "metadata": { + "description": "This is an example team lead role" + } +}' +---- -. Add the appropriate users or groups to the newly created role. -. Define the necessary permissions for the role based on the tasks the team leads are expected to manage. For example, you can allow team leads to access the RBAC UI and save permission changes for added users or groups. -. Apply access conditions to scope the role’s visibility and control to specific users or groups. For example, you can limit each team lead’s access to only their team. -. Save the changes. +For more information about creating a role using the Web UI, see xref:proc-rbac-ui-create-role_title-authorization[Creating a role in the {product} Web UI]. +-- -.Verification -Log in as a team lead and verify the following: +. Allow team leads to read catalog entities and create permissions in the RBAC plugin using the Web UI or the following API request: ++ +-- +.Example of granting the team lead role permission to create RBAC policies and read catalog entities +[source,bash] +---- +curl -X POST 'http://localhost:7007/api/permission/policies' \ +--header "Authorization: Bearer $ADMIN_TOKEN" \ +--header "Content-Type: application/json" \ +--data '[ + { + "entityReference": "role:default/team_lead", + "permission": "policy-entity", + "policy": "create", + "effect": "allow" + }, + { + "entityReference": "role:default/team_lead", + "permission": "catalog-entity", + "policy": "read", + "effect": "allow" + } +]' +---- +-- + +. To ensure team leads can only manage what they own, use the `IS_OWNER` conditional rule as follows: ++ +-- +.Example `curl` of applying a conditional access policy using the `IS_OWNER` rule for the team lead role +[source,bash] +---- +curl -X POST 'http://localhost:7007/api/permission/roles/conditions' \ +--header "Authorization: Bearer $ADMIN_TOKEN" \ +--header "Content-Type: application/json" \ +--data '{ + "result": "CONDITIONAL", + "pluginId": "permission", + "resourceType": "policy-entity", + "conditions": { + "rule": "IS_OWNER", + "resourceType": "policy-entity", + "params": { + "owners": [ + "user:default/team_lead" + ] + } + }, + "roleEntityRef": "role:default/team_lead", + "permissionMapping": [ + "read", + "update", + "delete" + ] +}' +---- +The previous example of conditional policy limits visibility and control to only owned roles and policies. +-- -* The RBAC UI is accessible. -* Only the assigned users or group is visible. -* Permissions outside the scoped team are not viewable or editable. +. Log in to {product-very-short} as team lead and verify the following: ++ +-- +.. Use the following request and verify that you do not see any roles: ++ +.Example `curl` to retrieve roles visible to the team lead +[source,bash] +---- +curl -X GET 'http://localhost:7007/api/permission/roles' \ +--header "Authorization: Bearer $TEAM_LEAD_TOKEN" + +---- + +.. Use the following request to create a new role for their team: ++ +.Example `curl` of team lead creating a new role for their team with ownership assigned +[source,bash] +---- +curl -X POST 'http://localhost:7007/api/permission/roles' \ +--header "Authorization: Bearer $TEAM_LEAD_TOKEN" \ +--header "Content-Type: application/json" \ +--data '{ + "memberReferences": ["user:default/team_member"], + "name": "role:default/team_a", + "metadata": { + "description": "This is an example team_a role", + "owner": "user:default/team_lead" + } +}' +---- ++ +[NOTE] +==== +You can set the ownership during creation but you can also update the ownership at any time. +==== + +.. Use the following request to assign a permission policy to the new role: ++ +.Example `curl` for granting read access to catalog entities for the new role +[source,bash] +---- +curl -X POST 'http://localhost:7007/api/permission/policies' \ +--header "Authorization: Bearer $ADMIN_TOKEN" \ +--header "Content-Type: application/json" \ +--data '[ + { + "entityReference": "role:default/team_a", + "permission": "catalog-entity", + "policy": "read", + "effect": "allow" + } +]' +---- + +.. Use the following request to verify that only team-owned roles and policies are visible: ++ +.Example `curl` to retrieve roles and permission policies visible to the team lead +[source,bash] +---- +curl -X GET 'http://localhost:7007/api/permission/roles' \ +--header "Authorization: Bearer $TEAM_LEAD_TOKEN" + +curl -X GET 'http://localhost:7007/api/permission/policies' \ +--header "Authorization: Bearer $TEAM_LEAD_TOKEN" +---- +-- + +.Verification +* Log in as a team lead and verify the following: ++ +-- +** The RBAC UI is accessible. +** Only the assigned users or group is visible. +** Permissions outside the scoped team are not viewable or editable. +-- +* Log in as an administrator and verify that you retain full visibility and conrol From ce339edacc76e1d595d80285118bfffe174645b5 Mon Sep 17 00:00:00 2001 From: Heena Manwani Date: Thu, 24 Apr 2025 13:25:56 +0530 Subject: [PATCH 3/5] Incorporated review comments --- modules/authorization/proc-delegating-rbac-access.adoc | 2 +- modules/authorization/ref-rbac-permission-policies.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/authorization/proc-delegating-rbac-access.adoc b/modules/authorization/proc-delegating-rbac-access.adoc index f28d58d3b2..69c966901a 100644 --- a/modules/authorization/proc-delegating-rbac-access.adoc +++ b/modules/authorization/proc-delegating-rbac-access.adoc @@ -51,7 +51,7 @@ curl -X POST 'http://localhost:7007/api/permission/policies' \ --data '[ { "entityReference": "role:default/team_lead", - "permission": "policy-entity", + "permission": "policy.entity.create", "policy": "create", "effect": "allow" }, diff --git a/modules/authorization/ref-rbac-permission-policies.adoc b/modules/authorization/ref-rbac-permission-policies.adoc index c8b34ff91f..aec88f5c8d 100644 --- a/modules/authorization/ref-rbac-permission-policies.adoc +++ b/modules/authorization/ref-rbac-permission-policies.adoc @@ -158,7 +158,7 @@ RBAC permissions:: |Allows a user or role to read permission policies and roles |`policy.entity.create` -|`policy-entity` +|`policy.entity.create` |`create` |Allows a user or role to create a single or multiple permission policies and roles From 56a980433b66c3860509a5207fc9dcc23a9f90be Mon Sep 17 00:00:00 2001 From: Heena Manwani Date: Tue, 29 Apr 2025 12:42:31 +0530 Subject: [PATCH 4/5] review comment --- modules/authorization/ref-rbac-permission-policies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authorization/ref-rbac-permission-policies.adoc b/modules/authorization/ref-rbac-permission-policies.adoc index aec88f5c8d..dfebf48068 100644 --- a/modules/authorization/ref-rbac-permission-policies.adoc +++ b/modules/authorization/ref-rbac-permission-policies.adoc @@ -158,7 +158,7 @@ RBAC permissions:: |Allows a user or role to read permission policies and roles |`policy.entity.create` -|`policy.entity.create` +| |`create` |Allows a user or role to create a single or multiple permission policies and roles From fafe32a6dcbffa0b3622dd7de88c0d070026c610 Mon Sep 17 00:00:00 2001 From: Heena Manwani Date: Tue, 29 Apr 2025 16:18:33 +0530 Subject: [PATCH 5/5] peer review comments --- modules/authorization/proc-delegating-rbac-access.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/authorization/proc-delegating-rbac-access.adoc b/modules/authorization/proc-delegating-rbac-access.adoc index 69c966901a..3ef727a176 100644 --- a/modules/authorization/proc-delegating-rbac-access.adoc +++ b/modules/authorization/proc-delegating-rbac-access.adoc @@ -1,7 +1,7 @@ [id='proc-delegating-rbac-access_{context}'] = Delegating role-based access controls (RBAC) access in {product} -An enterprise customer requires the ability to delegate role-based access control (RBAC) responsibilities to other individual in the organization. In this scenario, you, as the administrator, can provide access to the RBAC plugin specifically to designated users, such as team leads. Each team lead is then able to manage permissions exclusively for users within their respective team or department, without visibility into or control over permissions outside their assigned scope. This approach allows team leads to manage access and permissions for their own teams independently, while administrators maintain global oversight. +An enterprise customer requires the ability to delegate role-based access control (RBAC) responsibilities to other individuals in the organization. In this scenario, you, as the administrator, can provide access to the RBAC plugin specifically to designated users, such as team leads. Each team lead is then able to manage permissions exclusively for users within their respective team or department, without visibility into or control over permissions outside their assigned scope. This approach allows team leads to manage access and permissions for their own teams independently, while administrators maintain global oversight. In {product-very-short}, you can delegate RBAC access using the multitenancy feature of RBAC plugin, specifically the `IS_OWNER` conditional rule. @@ -131,7 +131,7 @@ curl -X POST 'http://localhost:7007/api/permission/roles' \ + [NOTE] ==== -You can set the ownership during creation but you can also update the ownership at any time. +You can set the ownership during creation, but you can also update the ownership at any time. ==== .. Use the following request to assign a permission policy to the new role: @@ -173,7 +173,7 @@ curl -X GET 'http://localhost:7007/api/permission/policies' \ ** Only the assigned users or group is visible. ** Permissions outside the scoped team are not viewable or editable. -- -* Log in as an administrator and verify that you retain full visibility and conrol +* Log in as an administrator and verify that you retain full visibility and control.